Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Melania allows PHP Local File Inclusion.This issue affects Melania: from n/a through 2.5.0.
Published: 2026-03-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion (potential unintended code execution)
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an Improper Control of Filename for Include/Require Statement in PHP, resulting in a Local File Inclusion flaw in the Melania theme for WordPress. An attacker who can influence the filename used in the include/require statement may be able to read or include sensitive local files, which could lead to disclosure of confidential data or execution of arbitrary code on the compromised site. The weakness is classified as CWE-98.

Affected Systems

This issue affects ThemeREX Melania themes for WordPress from the initial release through version 2.5.0. The vulnerability is not present in versions released after 2.5.0.

Risk and Exploitability

The CVSS v3 score of 8.1 indicates a high severity level. The EPSS score is < 1%, indicating a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local: an attacker with access to the website can manipulate the include path to access local files. Exploitation would require the ability to direct the theme to include a malicious or sensitive file, but no prior setup or elevated privileges are explicitly required beyond normal web access.

Generated by OpenCVE AI on April 29, 2026 at 00:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Melania theme to the latest version released after 2.5.0, which resolves the LFI flaw.
  • If an upgrade cannot be performed immediately, deactivate or delete the Melania theme to remove the vulnerable code.
  • Restrict file system permissions so that only the web server can read WordPress core files, limiting potential LFI exploitation.

Generated by OpenCVE AI on April 29, 2026 at 00:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Melania melania allows PHP Local File Inclusion.This issue affects Melania: from n/a through <= 2.5.0. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Melania allows PHP Local File Inclusion.This issue affects Melania: from n/a through 2.5.0.
References

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Melania allows PHP Local File Inclusion.This issue affects Melania: from n/a through 2.5.0. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Melania melania allows PHP Local File Inclusion.This issue affects Melania: from n/a through <= 2.5.0.
References

Fri, 20 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex melania
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex melania
Wordpress
Wordpress wordpress

Fri, 20 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Melania allows PHP Local File Inclusion.This issue affects Melania: from n/a through 2.5.0.
Title WordPress Melania theme <= 2.5.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Themerex Melania
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:40.624Z

Reserved: 2026-01-07T12:21:02.764Z

Link: CVE-2026-22324

cve-icon Vulnrichment

Updated: 2026-03-20T14:01:42.695Z

cve-icon NVD

Status : Deferred

Published: 2026-03-20T10:16:18.413

Modified: 2026-04-28T19:36:28.820

Link: CVE-2026-22324

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T01:00:11Z

Weaknesses